Data breaches highlight the need for proper data security

May 30, 2014 |

The UK Information Commissioner has recently told the BBC that the reputational damage from a data breach can be far more significant than any penalty emanating from a regulator. And it is relevant to note that the Information Commissioner has the power to issue businesses with fines of up to £500,000 for serious breaches of UK’s data protection legislation. He said:

“It’s our information, it needs to be protected and the brands that get it wrong will trash their reputation – that’s the real threat for the eBay’s and the Sony’s of this world” and  “.. the real hit is reputation, the real hit is the brand,”

He also said:

  • that both individuals and businesses are “not sufficiently alert to what is going on in the 21st century”.
  • “Cyber crime is real. Hacking is real. Watch out, there’s a data thief about…the personal information that is there online – practically everything we do, social, business, work, buying stuff, holidays – the data imprint is huge and none of us are taking this seriously enough. None of us are as good as we should we about passwords, [from] changing passwords regularly, [to setting] credible, hard passwords … and companies aren’t taking this seriously enough and they should be.”

That experience is all very true in Australia. The UK protections are more comprehensive and effective than those under the Privacy Act but the Privacy Commissioner does now have enhanced powers to deal with breaches arising from inadequate security.  The general level of understanding of what proper privacy protection by organisations involves is generally poor.  With some notable exceptions, the level of sophistication of systems, training, protocols and policies is also quite poor. Part of that is due to light to non touch regulation in the past and no real exposure to financial penalty for a breach beyond a pro forma apology. Given the migration of business to cyberspace in the last decade the potential for reputational damage and financial loss, as well as action by the Privacy Commissioner makes such a lackadaisical attitude grossly irresponsible. But that is no guarantee that organisations will change their culture, make the effort and expend the money and other resources to be properly compliant.  And in this day and age the best approach is to adopt privacy by design in their business and ICT infrastructures.

To demonstrate that the ebay breach is not an isolated incident on 14 May Experian suffered another data breach which resulted in customer’s their credit reports being accessed.  The nature of the breach involved  client login credentials being compromised and used to access Experian’s credit report database.  That led to a notification to customers, as is required in many US states under data breach notification laws, The notification (found here) provides:

This letter is to inform you that your personal information have been accessed without proper authorization. This unauthorized access took place on May 14, 2014.

Experian, one of the nationwide credit reporting agencies, identified that its client, Bluegrass Community Federal Credit Union [FCU], had certain Experian consumer information accessed without proper authorization. The consumer information consists of information found in a consumer report. Such information includes your name and address and one or more of the following: Social Security number, date of birth, or account numbers. Experian is actively working with Bluegrass Community FCU and law enforcemont to investigate this matter, Contact information for Bluegrass Community FCU is as follows:

BluegtMs Community FCU

2321Carter Ave

Ashland, KY  41101-7825

(606}324-0888

Contact: Jamie Darling

Experian is providing the following information to help protect you ft-om potential misuse of your information, including identity theft:

We recommend contacting the nationwide credit reporting agencies as soon as possible to:

  • Add a security alert statement to your credit file at three national credit reporting agencies: Equifax, TransUnion and Experian. You only need to contact one of the three agencies listed below; your request will be shared electronically with the other two agencies. This security alert will remain on your credit file for 90  days. Information on security freezes may also be obtained.
  • Remove your name from mailing lists of pre-approved offers-of credit for approximately six months.
  • Receive a free copy of your credit report.   

……………

We also advise being vigilant when reviewing your account statements for any unusual activity. Another way to protect your identity from any misuse is to review your credit, report frequently to ensure that all information is accurate.To assist you with protecting your personal information Experian will provide you with two years of complimentary credit monitonng and report through Experian’s ProtectMyID™ Elite product.

Meanwhile Trademotion which is a automotive dealer in eCommerce and data service provider was hacked and that clients names, postal and email addresses, telephone numbers and credit card numbers between 5 March and 2 May. One of Trademotion’s clients, AutoNation has notified some of its online customers of the data breach. The notification, found here. 

These incidents are hugely embarrassing to businesses, cause inconvenience and distress to customers and may result in financial loss to both. Hacking is a constant and potentially growing problem.  Many organisations don’t help themselves by having poor privacy protections.  That is not just an off the shelf anti-virus program with a firewall.  It includes proper training, having proper data storage processes, encrypting data as a matter of course and proper password protections.

Leave a Reply